Introduction

Question 1

What are the two main approaches to information security?

Answer 1

The ability to resist certain threats, and the maintenance of objectives for the resources

Question 2

Threats can give rise to what?

Answer 2

Violations

Question 3

What are the three types of security violation?

Answer 3

Unauthorised information release, Unauthorised information modification and unauthorised denial of use

Question 4

Security violations can occur because of what three things?

Answer 4

Inadequate physical controls, inadequate controls within a computer system and inadequate controls for communications networks

Question 5

What is a vulnerability?

Answer 5

A vulnerability is a flaw in design or implementation of a system that could lead to a security violation

Question 6

In order to exploit a vulnerability, what must be assumed of attackers?

Answer 6

Attackers must know about the vulnerability and must be able to exploit the vulnerability

Question 7

What are the two main types of attacker?

Answer 7

Insider attacker and Outsider attacker

Question 8

What is the CIA triad?

Answer 8

Confidentiality, prevention of unauthorised information release, Integrity, prevention of unauthorised information modification, and Availability, prevention of unauthorised denial of use

Question 9

What can security be defined as in accordance with the CIA triad?

Answer 9

Security can be defined as meeting the CIA triad’s goals

Question 10

When is a security goal from the CIA triad met?

Answer 10

A security goal is met if and when the corresponding security violation does not occur

Question 11

Why is achieving a security goal difficult?

Answer 11

It is difficult to anticipate every way an attacker can cause a security violation

Question 12

What is confidentiality?

Answer 12

Confidentiality is about preventing users from reading information they are not supposed to

Question 13

What is integrity?

Answer 13

Integrity is ensuring that all information has been kept the way it is meant to be

Question 14

What is availability?

Answer 14

Availability is ensuring that services are accessible on demand for authorised users

Question 15

What is accountability?

Answer 15

Accountability is holding users accountable for all of their actions

Question 16

What is reliability?

Answer 16

Reliability is ensuring that the service remains consistent

Question 17

What is a security event?

Answer 17

A security event is an occurrence in a system which may indicate a security violation

Question 18

What is security event management?

Answer 18

Security event management is putting in place a defined procedure for reporting and managing security events

Question 19

What is data privacy?

Answer 19

The notion of protecting someone’s Personally Identifiable Information (PII)

Question 20

What is the difference between computer security and network security?

Answer 20

Computer security is protection of data stored in memory, while network security is protection of data in transit

Question 21

What is a security policy?

Answer 21

A policy is the ‘intentions and direction of an organisation as formally expressed by its top management’. A security policy is a policy that ‘includes security objectives or provides the framework for setting information security objectives’

Question 22

What are security objectives?

Answer 22

Security objectives are the goals of the information security management system related to the assets of an organisation and the criticality of the assets

Question 23

What are security controls?

Answer 23

A security control is a measure that is reducing risk. Controls include policies, processes and devices

Question 24

What is risk assessment?

Answer 24

Risk assessment is the ‘overall process of risk identification, risk analysis, and risk evaluation’

Question 25

What is risk analysis?

Answer 25

Risk analysis is the ‘process to comprehend the nature of risk and to determine the level of risk’

Question 26

What is risk criteria?

Answer 26

Risk criteria are the ‘terms of reference against which the significance of risk is evaluated’

Question 27

What is risk evaluation?

Answer 27

Risk evaluation is the ‘process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable’

Question 28

What is risk treatment?

Answer 28

Risk treatment is the ‘process of modifying risk’ whether by ignoring it or creating controls